Splunk Search

SubSearch

giorgioanastasi
Explorer

Hi, I would have this need, that is to carry out a search that extracts all users who use iphone with SO = 9. * and then through the extracted users, search through them who has also used another device.

One solution would be to run the first search, get the list of all users and then do a new search with UsersId in input.

First search: search model = iphone so = 9. * | table UserId

Second search: search UserId IN (user list of the first search) model! = iphone

Would it be possible to do this extraction with just one search?

Thanks

Labels (1)
0 Karma

giorgioanastasi
Explorer

So, of the suggested searches, only this one (swong_splunk) extracts the results (correct?):

tag=Operativo NOT(SO=ios AND VersSO="9.*") | dedup IdCliente | search
[search tag=Operativo (SO=ios AND VersSO="9.*")
| table IdCliente
| dedup IdCliente
| table IdCliente
| format]

This search extracts all customer codes that use ios 9. * but have also used a different device. I would need the opposite, that is, only customers who have used exclusively ios 9. * (but I can get them by difference from the list of those who use ios 9. * minus the search list above)

 

This research does not extract anything:

tag=Operativo
| eval iphone9=if(SO=ios AND match(VersSO,"9\..*"),"Yes","No")
| stats count(eval(iphone9="Yes")) as iphoner dc(model) as modelcount by  IdCliente
| search iphoner>0
| sort IdCliente

0 Karma

PickleRick
Ultra Champion

I can think of several more or less ugly solutions to this problem 😉

But an elegant one is with eventstats

index=whatever
| eventstats dc(model) as modelcount by UserId
| search model=iphone so=9.* modelcount>1

That will hovewer only give you the iphone of users who use iphone 9.* as well as other phone. If that's enough because you only want the users themselves, that's ok.

If you also want to know what other phones they use, you might use similar trick to that proposed by @gcusello 

index=whatever
| eventstats dc(model) as modelcount count(eval(model="iphone" AND match(os,"9\..*")) as iphoner by UserId
| search iphoner>0 modelcount>1
| sort UserId
0 Karma

swong_splunk
Splunk Employee
Splunk Employee
Give this a try:

index=main model! = iphone
[search index=main model = iphone so = 9. *
 | table UserId
| dedup UserId
| table UserId
| format]
0 Karma

gcusello
Esteemed Legend

Hi @giorgioanastasi,

you could try something like this:

index=main 
| stats count(eval(model="iphone" AND so="9.*")) AS iphone9 count(eval(NOT (model="iphone" AND so="9.*"))) AS not_iphone9 BY UserId

Ciao.

Giuseppe

0 Karma

giorgioanastasi
Explorer

Hi Giuseppe !! How are you ?? 

you should know these files very well! 😉

unfortunately with your search it does not work, strangely:count(eval(SO="ios" AND VersSO="9.*")) AS iphone9 is always 0

 

this is the search:

tag=Operativo | stats count(eval(SO="ios" AND VersSO="9.*")) AS iphone9 count(eval(NOT (SO="ios" AND VersSO="9.*"))) AS not_iphone9 BY NDG

 

 

0 Karma

gcusello
Esteemed Legend

Hi @giorgioanastasi,

Ciao Giorgio, it's a pleasure to speak with you!

please try something like this (that's similar to the solution of @PickleRick.:

index=whatever
| eval iphone9=if(model="iphone" AND match(os,"9\..*"),"Yes","No"),
| stats count(eval(iphone9="Yes") as iphoner dc(model) as modelcount by UserId
| search iphoner>0
| sort UserId

Ciao.

Giuseppe

0 Karma

giorgioanastasi
Explorer

So, of the suggested searches, only this one (swong_splunk) extracts the results (correct?):

tag=Operativo NOT(SO=ios AND VersSO="9.*") | dedup IdCliente | search
[search tag=Operativo (SO=ios AND VersSO="9.*")
| table IdCliente
| dedup IdCliente
| table IdCliente
| format]

This search extracts all customer codes that use ios 9. * but have also used a different device. I would need the opposite, that is, only customers who have used exclusively ios 9. * (but I can get them by difference from the list of those who use ios 9. * minus the search list above)

 

This research does not extract anything:

tag=Operativo
| eval iphone9=if(SO=ios AND match(VersSO,"9\..*"),"Yes","No")
| stats count(eval(iphone9="Yes")) as iphoner dc(model) as modelcount by  IdCliente
| search iphoner>0
| sort IdCliente

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...